Sunday, November 29, 2009

What are the best practices configurations to secure a router

SkyHi @ Sunday, November 29, 2009
some important general principles for maintaining good router security.

1. Create and maintain a written router security policy. The policy
should identify who is allowed to log in to the router, who is allowed
to configure and update it, and should outline the logging and
management practices


2. Have offline master copies of your router configuration files!

3. Implement access control lists (ACL) that allow only those protocols, ports and IP addresses that deny everything else

MyRouter(config)# no access-list 49
MyRouter(config)# access-list 49 permit host <IP address of host>
MyRouter(config)# access-list 49deny any log


General best practice rules:

MyRouter(config)# no access-list 107
MyRouter(config)# ! block our internal addresses on External Interfaces

MyRouter(config)# access-list 107 deny ip
<intrernal ip Network1> <Internal Subnet mask> any log

MyRouter(config)# access-list 107 deny ip
<intrernal ip Network2> <Internal Subnet mask> any log

MyRouter(config)# ! block special/reserved addresses
MyRouter(config)# access-list 107 deny ip
127.0.0.0 0.255.255.255 any log

MyRouter(config)# access-list 107 deny ip
0.0.0.0    0.255.255.255 any log

MyRouter(config)# access-list 107 deny ip
10.0.0.0 0.255.255.255 any log

MyRouter(config)# access-list 107 deny ip
169.168.0 0.255.255 any log

MyRouter(config)# access-list 107 deny ip
172.16.0.0 0.15.255.255 any log

MyRouter(config)# access-list 107 deny ip
192.168.0.0 0.0.255.255 any log

MyRouter(config)# ! block multicast (if not used)
MyRouter(config)# access-list 107 deny ip
224.0.0.0 15.255.255.255 any

MyRouter(config)# ! block some ICMP message types
MyRouter(config)# access-list 107 deny icmp
any any redirect log

MyRouter(config)# access-list 107 deny icmp
any any echo log

MyRouter(config)# access-list 107 deny icmp
any any mask-request log

MyRouter(config)# access-list 107 permit ip
any <internal Network 1> 0.0.255.255

MyRouter(config)# access-list 107 permit ip
Any  <internal Network 2> 0.0.255.255

MyRouter(config)# interface Eth 0/0
MyRouter(config-if)# description External interface
MyRouter(config-if)# ip access-group 107 in



4. Block incoming packets that claim to have the same destination and
source address (i.e. a ‘Land’ attack on the router itself).

access-list 102 deny ip host <ipaddress3>
host <ipaddress3>log

interface Eth 0/1
ip address <ipaddress3> 255.255.0.0
ip access-group 102 in

5. Configure an access list for the virtual terminal lines to control Telnet
access.

MyRouter(config)# no access-list 92
MyRouter(config)# access-list 92 permit <ipaddress4>
MyRouter(config)# access-list 92 permit <ipaddress5>
MyRouter(config)# access-list 92 permit <ipaddress6>

MyRouter(config)# line vty 0 4
MyRouter(config-line)# access-class 92 in


6. Turn on the router’s logging capability, and use it to log errors and
blocked packets to an internal (trusted) syslog host. Make sure that the
router blocks syslog traffic from untrusted networks.

MyRouter(config)# logging on
MyRouter(config)# logging <Syslog IP address>
MyRouter(config)# logging buffered
MyRouter(config)# logging console critical
MyRouter(config)# logging trap informational
MyRouter(config)# logging facility local1


7. Configure the router to include time information in the logging.

MyRouter(config)# service timestamps log datetime
localtime show-timezone msec
MyRouter(config)# clock timezone GMT 0
MyRouter(config)# ntp server <ntp server1>
MyRouter(config)# ntp server <ntp server2>

3. If your network requires SNMP, then configure an SNMP ACL and
hard-to-guess SNMP community strings.

MyRouter(config)# no snmp community public ro
MyRouter(config)# no snmp community private rw
MyRouter(config)# no access-list 51
MyRouter(config)# access-list 51 permit < authorised snmp requester>
MyRouter(config)# snmp community neither+never ro 51


On a border router, allow only internal addresses to enter the router from the
internal interfaces, and allow only traffic destined for internal
addresses to enter the router from the outside (external interfaces).
Block illegal addresses at the outgoing interfaces. Besides preventing
an attacker from using the router to attack other sites, it helps identify
poorly configured internal hosts or networks

MyRouter(config)# no access-list 101
MyRouter(config)# access-list 101 permit ip
<internal Network> 0.0.0.255 any
MyRouter(config)# access-list 101 deny ip any any log

MyRouter(config)# no access-list 102
MyRouter(config)# access-list 102 permit ip
any <internal Network> 0.0.0.255
MyRouter(config)# access-list 102 deny ip any any log

MyRouter(config)# interface eth 1
MyRouter(config-if)# ip access-group 101 in
MyRouter(config-if)# exit

MyRouter(config)# interface eth 0
MyRouter(config-if)# ip access-group 101 out
MyRouter(config-if)# ip access-group 102 in



4. Shut down unneeded services on the router.

Small services (echo, discard, chargen, etc.)
- no service tcp-small-servers

- no service udp-small-servers

 BOOTP - no ip bootp server

Finger - no service finger

HTTP - no ip http server

 SNMP - no snmp-server


5. Shut down unneeded services on the routers. These services allow
certain packets to pass through the router, or send special packets, or
are used for remote router configuration.

CDP - no cdp run

Remote config. - no service config

Source routing - no ip source-route

6. Secure the all the interfaces in turn on the router

Unused interfaces – shutdown

No Smurf attacks - no ip directed-broadcast

Mask replies - no ip mask-reply
 Ad-hoc routing - no ip proxy-arp

7. Secure the console line, auxiliary line and the virtual terminal lines on
the router

Console Line - line con 0
exec-timeout 5 0
login

Auxiliary Line - line aux 0
no exec
exec-timeout 0 10
transport input none

VTY lines - line vty 0 4
exec-timeout 5 0
login
transport input telnet ssh

8. Use more secure passwords
Enable Secret password, is protected with an MD5-based algorithm. Also, the configure passwords for the console line, the
auxiliary line and the virtual terminal lines. Provide basic protection
service passwordencryption

Enable secret - enable secret 0 *******

Console Line - line con 0
password *******

Auxiliary Line - line aux 0
password ********

 VTY Lines - line vty 0 4
password ********

Reference: http://www.tek-tips.com/faqs.cfm?fid=6616